Setup files that can get around UAC
I just downloaded an old edition of burnaware_free.exe, version 2.3.3, from here: http://www.digital-digest.com/softwa..._free.exe.html
and noticed that when I was logged in as a standard user (not admin) it does not trigger a UAC prompt and allows me to install the application even though I am not running elevated. Typically a setup file in such a circumstance would trigger a UAC prompt with the message: "To continue, type and administrator password and then click Yes."
By contrast version 3.0.1 triggers a UAC prompt for standard users attempting to install it : http://www.digital-digest.com/softwa..._free.exe.html
I looked at all the security settings although I could not work out what was set to turn off UAC for the setup file. Is it common, and what do I look for to determine if a setup file is designed to get around UAC? Could it be a simple manifest issue?
Re: Setup files that can get around UAC
Well, I would think it would depend on where you are using the program! Foe example if you are using the program at home you should be able to run the program as administrator and not receive the prompt. However, I would think that a business would have rules/restriction in place to account for this due to the sensitive data they need to handle.
Re: Setup files that can get around UAC
Quote:
Originally Posted by
Nightwalker83
Well, I would think it would depend on where you are using the program! Foe example if you are using the program at home you should be able to run the program as administrator and not receive the prompt. However, I would think that a business would have rules/restriction in place to account for this due to the sensitive data they need to handle.
You are right Nightwalker83 there are 2 issues going on: UAC and Admin/Standard User protection. I seem to remember that on XP, where there is no UAC, a standard user needs admin permission to install any application although there are some exceptions such as Firefox that seemed to be able to get around the inbuilt Admin/Standard User security which creates a headache for network managers. I am still not sure how Mozilla got around the inbuilt security.
Re: Setup files that can get around UAC
All exe files with "Setup", "Install" or "update" in the name will automatically trigger the UAC elevation regardless of manifest content. If you want any old installer to trigger it, just rename it to Setup.exe.
Re: Setup files that can get around UAC
Quote:
Originally Posted by
TomasEss
All exe files with "Setup", "Install" or "update" in the name will automatically trigger the UAC elevation regardless of manifest content. If you want any old installer to trigger it, just rename it to Setup.exe.
True, thanks for the reply.
I just had a look at Inno setup and the help file indicates that it is possible to create a setup that installs even if the user does not have admin rights, so it seems there is no internal windows security to stop regular users from installing applications it is entirely dependent on the setup creator, which is probably how Firefox got around the need to have admin rights to install. It is just bad form and really annoying for system admins when a setup allows users to do their own installs.
Re: Setup files that can get around UAC
There is code to do the same thing with the UAC as version 2.3.3 here on the forums! I would imagine that the company thought that bypassing the UAC could be a security risk and that is why version 3.0.1 requires the UAC in-order for a standard user to install the software.
Re: Setup files that can get around UAC
There is no problem to create an installer that does not require admin rights. It will also work with UAC turned on. Simply avoid the locations that is no no like Program files, Windows and System folders, HKLM hive in registry etc. If just installing to user specific locations you can work around both admin rights and UAC. BUT off course only the current user will be able to run the app and you won't have any machine wide settings. That's how Chrome does it as far as I have understood, and that is an annoyance...
Re: Setup files that can get around UAC
Quote:
Originally Posted by
Nightwalker83
There is code to do the same thing with the UAC as version 2.3.3 here on the forums! I would imagine that the company thought that bypassing the UAC could be a security risk and that is why version 3.0.1 requires the UAC in-order for a standard user to install the software.
With you on that Nightwalker.
Re: Setup files that can get around UAC
Quote:
Originally Posted by
TomasEss
There is no problem to create an installer that does not require admin rights. It will also work with UAC turned on. Simply avoid the locations that is no no like Program files, Windows and System folders, HKLM hive in registry etc. If just installing to user specific locations you can work around both admin rights and UAC. BUT off course only the current user will be able to run the app and you won't have any machine wide settings. That's how Chrome does it as far as I have understood, and that is an annoyance...
Thanks for your good insights TomasEss, that explains what is actually happening in the case of Firefox and Google.
